How to Have 'The Talk' About Security with Your Customers
Tips to start the cybersecurity conversation with clients, for their safety and your trusted adviser status.
October 10, 2022
By Jon Arnold
Jon Arnold
Cybersecurity is a lot like life insurance — it’s the last thing you’d like to think about, you don’t think bad things will happen to you, and it’s a waste of money for something you don’t even understand. Until there’s a security or compliance breach, your customers won’t be asking you about it, and otherwise, they don’t seem receptive to the idea of you bringing it up.
This is especially true for SMBs, who are budget-minded, not technically steeped in security and, with more immediate day-to-day priorities, not inclined to plan longer term. As their channel partner — and hopefully trusted adviser — you know that cybersecurity is a big problem, and only getting worse. So how do you start a conversation and have “the talk” with your customers? Not only can this be uncomfortable for them, but for channel partners as well, so what’s your starting point?
Whether your customers lack knowledge about the state of things with cybersecurity, or their perceptions have been shaped by inaccurate or misleading information, there’s a terrific opportunity here for the channel. By presenting customers with a factual picture of what’s happening, along with the risks posed by unchecked threats, you’re well-positioned to change hearts and minds, and suggest solutions that will help protect their data. Not only can this enhance your trusted adviser standing with individual customers, but with the right security partners, it can set you on course to develop a healthy security practice.
Key Talking Points for Your Customers
Rather than take a negative tone based on FUD — fear, uncertainty and doubt — focus on the objective realities, not just for what SMBs face every day, but also the broader trends impacting all businesses, especially in terms of how technology is advancing.
A good point of entry would be around unified communications-as-a-service (UCaaS), either for an existing deployment, or one you’re trying to get them started on. If you’ve positioned UCaaS as a productivity enabler instead of a way to reduce telecom costs, the security conversation will be easier to have, since you’re tying it to something that ’s important to their business.
Also, with UCaaS being part of their cloud migration journey, security becomes an even bigger part of the story for overall business continuity. With that in mind, here are some pertinent, industry-based trends that can seamlessly connect the dots between the value of UCaaS and the need to mitigate cybersecurity threats.
Use of communications and collaboration tools is growing. All you need to do is look at the adoption trends for Microsoft Teams to validate this. All the UCaaS platforms are posting double-digit annual growth rates, and as the traffic levels increase, so do the risks for cybersecurity. Despite being a legacy, pre-UCaaS tool, email usage also remains high, and we all know this application is rife with all kinds of attacks.
Social channels for business are growing as well. We all use these, and they’ve now become an integral part of the communications mix, in the workplace and the contact center. Whether social media platforms such as LinkedIn or Twitter, or messaging platforms like WhatsApp or Messenger, they have a role to play for driving productivity. All are common targets for bad actors.
Digital transformation is an ongoing process. All businesses are becoming more digital, and with UCaaS, this also applies to your communications applications. This is creating new data streams, and as digital channels are added, each represents a new vector for attacks.
Bad actors are getting more sophisticated. The more digital touchpoints you have, the more attractive a target you become — no matter if you’re a big or small business. This also means that bad actors keep evolving to find new vulnerabilities. Just because you can now identify mass-scale phishing schemes and malware threats doesn’t mean you’re safe. Fraudsters have moved on to other methods, such as social engineering, where they can extract information from social media activity to develop highly targeted, personal pitches to specific employees.
Cybersecurity insurance is becoming a business requirement. If customers haven’t mentioned this already, you should explain that this is an indication of just how real — and prevalent — security issues have become, especially in regulated verticals. Satisfying these insurance requirements should be viewed as money well spent, especially when your customer’s customers start to demand it.
Mindset of SMB leaders. This is more subtle, but it’s easy for SMBs to think that security threats only happen with enterprises, and that they’re too small to be targets. This is, in fact, the precise reason SMBs are attractive cybersecurity targets — with that thinking, they don’t take adequate precautions, making them easy marks. Not only that, since SMBs are more numerous than enterprises, there’s no shortage of targets.
Finally, Talk About the Bigger Picture
Security offerings can be sold stand-alone like any other point solution, but the value proposition is stronger when tied to bigger things. Some customers might view security simply as a logical add-on to UCaaS, especially once they understand the new vulnerabilities that arise from having high-volume data streams going in and out of their network. However, when considering the range of UCaaS offerings, it’s important to note that for some vendors, security is core and is built into their UCaaS solution, while others offer it à la carte.
That explanation could be sufficient for getting them to deploy an appropriate security solution, but you can also position this on a higher, more holistic plane.
At the most basic level, security measures should be taken to …
… protect their employees — but note that some offerings are more concerned with network and data protection, and less so with protecting end users. This should be another consideration for the security component offered by vendors, as some are only network-centric, offering little in the way for addressing end user security needs.
With lines blurring between home and work, security threats can hit businesses from either type of activity. Aside from exposing the business to all this, personal privacy and identity is very much at risk, so that’s another consideration for security. Given that most breaches are caused by human error rather than technology shortcomings, employee protection needs to be a prime consideration.
Aside from protection for employees, internal needs are just as important. Network operations are the engines for your customer’s business, and this requires a more comprehensive security framework. These types of threats are different in that they target the business rather than individual employees. One vector is the network itself, where the intention is to disrupt or shut down operations. While enterprises are more likely targets for this — especially from win-at-all-costs competitors — SMBs can certainly be attacked this way, so this threat cannot be overlooked.
A more likely vector, however, will be the data and applications that are really the lifeblood of the business. As technology has evolved from hardware to software, data has become businesses’ most-valuable asset, and really should be the highest-risk priority when thinking about security. UCaaS may generate significant volumes of data, but it’s just one of many data sources for any business. They’re all vulnerable once attackers find the weakest link to access the network, which in many cases is the way end users are using a communications application.
Why Should Channels Bother with Security?
This is a fair question, given that most of your customers know little about security issues, care even less about learning more, or aren’t inclined to spend money on something that doesn’t drive sales. Given that channels don’t know much about security, either, and aren’t getting orders for it, surely there must be easier and more profitable offerings to sell?
All of this is true, and many channels will choose the path of least resistance and just keep selling what customers are buying.
That said, the trends outlined here are undeniable. Your customer’s security issues are only going to grow. At that point, they’ll certainly be in trouble, but so will you. Not only will they make their own plans to fix these problems, but because you didn’t offer a solution earlier, you’ll likely lose their business altogether.
Software-as-a-service (SaaS) may be the preferred business model now, but the downside is that switching costs are low. Channels must earn their customer’s business every day, and if customers feel their interests aren’t being served, they have many alternatives. In that regard, channels should be viewing security as their own insurance to keep their trusted adviser standing, and to set customers up for success, not just in deploying UCaaS, but also for their bigger transition to the cloud.
Jon Arnold is principal at J Arnold & Associates, which provides thought leadership and go-to-market counsel, primarily on the business-level effect of communications technology on digital transformation. He writes JAA’s Analyst Blog as well as a monthly podcast and newsletter. You may follow him on LinkedIn or @arnoldjon on Twitter.
You May Also Like